Benutzer-Werkzeuge
lpi2:fail2ban
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
| Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung Nächste Überarbeitung | Vorherige Überarbeitung | ||
|
lpi2:fail2ban [2018/02/02 11:03] ingo_wichmann |
lpi2:fail2ban [2026/01/10 22:35] (aktuell) ingo_wichmann |
||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| Pakete: | Pakete: | ||
| - | * Debian (ab 7): ''fail2ban'' | + | * Debian (ab 12): ''fail2ban python3-pyinotify python3-systemd'' |
| Per default überwacht fail2ban bei debian ssh: | Per default überwacht fail2ban bei debian ssh: | ||
| Zeile 59: | Zeile 59: | ||
| fail2ban-client reload | fail2ban-client reload | ||
| fail2ban-client status | fail2ban-client status | ||
| - | fail2ban-client status sshd | + | fail2ban-client status apache-auth |
| + | |||
| + | Von einem anderen Rechner aus: | ||
| + | ab -n 10 -A heinz:nono http://192.168.212.11/fail2ban-test/index.html | ||
| + | |||
| + | less /var/log/fail2ban.log | ||
| + | |||
| + | ====== Apache Log mit HTTP Status 400 (Bad Request) ====== | ||
| + | Beispiel für Zeile aus ''access.log'' mit Status 400: | ||
| + | |||
| + | <file txt /var/log/apache/access.log> | ||
| + | server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-" | ||
| + | </file> | ||
| + | |||
| + | ===== Filter ===== | ||
| + | <file txt /etc/fail2ban/filter.d/apache-badrequest.local> | ||
| + | [Definition] | ||
| + | failregex = ^\S+ <ADDR> - - \[[^\]]*\] "[^"]+" 400 | ||
| + | </file> (( ''<ADDR>'' siehe | ||
| + | ^Tag^Description^Example regex in filter file^ | ||
| + | |<HOST>|Matches IPv4/IPv6 address or hostname|''^Failed login from <HOST>$''| | ||
| + | |<IP4>|Matches IPv4 address only|''^Failed login from <IP4>$''| | ||
| + | |<IP6>|Matches IPv6 address only|''^Failed login from <IP6>$''| | ||
| + | |<ADDR>|Matches IPv4/IPv6 address (no hostname)|''^Connection from <ADDR>$''| | ||
| + | |<SUBNET>|Matches IP with optional CIDR notation|''^Connection from <SUBNET>$''| | ||
| + | |<F-USER>...</F-USER>|Captures a username|''^Failed login for <F-USER>\S+</F-USER>$''| | ||
| + | |<F-ID>...</F-ID>|Captures a failure ID|''^Error <F-ID>\d+</F-ID> from <HOST>$''| | ||
| + | |<SKIPLINES>|Used for multi-line matching|''^Start pattern$<SKIPLINES>^End pattern$''| | ||
| + | )) | ||
| + | |||
| + | Filter testen: | ||
| + | fail2ban-regex 'server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"' /etc/fail2ban/filter.d/apache-badrequest.local | ||
| + | -> sollte ''1 matched'' ausgeben | ||
| + | |||
| + | fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-badrequest.local | ||
| + | -> sollte die korrekte Anzahl Zeilen mit Status 400 ausgeben. | ||
| + | |||
| + | ===== Jail ===== | ||
| + | |||
| + | <file txt /etc/fail2ban/jail.d/apache-badrequest.local> | ||
| + | [apache_bad_request] | ||
| + | enabled = true | ||
| + | port = http,https | ||
| + | filter = apache-badrequest | ||
| + | logpath = /var/log/apache*/*access.log | ||
| + | maxretry = 3 | ||
| + | </file> | ||
| + | |||
| + | Testen: | ||
| + | fail2ban-client reload | ||
| + | -> ''OK'' | ||
| + | fail2ban-client status | ||
| + | -> ''Jail list: … apache_bad_request…'' | ||
| + | fail2ban-client status apache_bad_request | ||
lpi2/fail2ban.1517569399.txt.gz · Zuletzt geändert: 2018/02/02 11:03 von ingo_wichmann
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
